URLs are improperly escaped #57
Comments
|
This is a necro issue, but I got the time to play around with showdown and XSS. In short, my conclusion is that you can't really prevent XSS attacks with markdown and claiming to do so will probably give some sense of false security, which is worse. The 2 rules of thumb are:
This excellent post by Michael Fortin provices more in-depth explanation |
|
Correct. As I wrote in my original comment, Markdown already allows markup injection by design, so this doesn't introduce any (unintended) security issues. It's still a defect, though, causing invalid markup to be generated in some cases. To avoid it, URLs should be HTML-escaped before being inserted between attribute quotes. |
|
@JakobKallin I agree. The problem is assuring that by URL encoding, well, URLs, we won't break the parser. I will look into it. |
|
Also keep in mind the difference between URL encoding and HTML escaping (neither of which has a standardized name as far as I know): URL encoding replaces characters that are not allowed in URLs, while HTML escaping replaces characters with special meaning in HTML. While I think both would work fine here in practice, HTML escaping is the correct one in this context. |
Converting the following Markdown:
yields the following HTML:
which in turn is parsed by the browser as:
The reason is that URLs are improperly escaped before being inserted into
hrefattributes.I discovered this by accident while writing a tutorial on XSS. It's a defect in the Showdown library that would allow for unintended script injection if Markdown weren't designed to allow inline HTML to begin with.
The text was updated successfully, but these errors were encountered: